Press Release: 4/28/2026

Massachusetts Slaps $1.25 Million Fine for Data Breach

A major financial services provider has been slapped with a $1.25 million fine for its “failure to enforce appropriate cybersecurity controls.”



ad space



The fine was announced by (Massachusetts) Secretary of the Commonwealth William F. Galvin against Fidelity Brokerage Services related to a data breach affecting approximately 77,000 customers. According to a press release, after learning of the breach, Fidelity also failed to notify many impacted residents, including the relatives and minor children of Fidelity customers.



According to a consent order filed with Galvin’s Securities Division today, Fidelity’s insufficient enforcement of its own cybersecurity protocols allowed a bad actor, over a three-day period in August 2024, to access images of documents containing Social Security numbers, active credit card and financial account numbers, medical information, passports, driver’s licenses, and other personally identifiable information. 



ad space



The documents accessed in the data breach contained not only the information of existing Fidelity customers, but also that of beneficiaries and relatives, some of whom were minors.



ad space



As explained in the consent order, the breach occurred when a bad actor exploited a vulnerability in Fidelity’s online access controls that allowed any Fidelity customer to access the documents of another customer. By manipulating the 10-digit “Image ID” displayed in the browser when accessing the customer’s own documents, the customer could access other users’ documents as well.



“Any authenticated user, after logging into their Fidelity.com account and attempting to retrieve an image associated with their account, could take certain actions to ultimately see that the Image ID was composed of a ten digit string of numbers,” the order continues.



ad space



In addition to paying the $1.25 million administrative fine, the Division has ordered Fidelity to engage an independent cybersecurity consultant, certify that cybersecurity controls related to customer data have been changed and enhanced, and to identify and notify all Massachusetts residents whose personal information was exposed in the data breach and who were not previously notified.